Commit graph

3345 commits

Author SHA1 Message Date
Thomas Darimont
1a7600e356
KEYCLOAK-13923 Support PKCE for OIDC based Identity Providers (#7381)
* KEYCLOAK-13923 - Support PKCE for Identity Provider

We now support usage of PKCE for OIDC based Identity Providers.

* KEYCLOAK-13923 Warn if PKCE information cannot be found code-to-token request in OIDCIdentityProvider

* KEYCLOAK-13923 Pull up PKCE handling from OIDC to OAuth IdentityProvider infrastructure

* KEYCLOAK-13923 Adding test for PKCE support for OAuth Identity providers

* KEYCLOAK-13923 Use URI from KeycloakContext instead of HttpRequest

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-01-05 10:59:59 -03:00
mposolda
d4a36d0d9c KEYCLOAK-16350 invalid_scope error response should be displayed for openid-connect/auth 2021-01-05 12:55:53 +01:00
Sven-Torben Janus
4652fd4fcd KEYCLOAK-16540 X.509 Authentication logs Exception when no client cert
When no client cert is present the variable clientCert is null. In this
case the log statement leads to a NPE which then gets logged as an
error.
2021-01-04 10:55:21 +01:00
Jiri Lunacek
d70de48ba9 KEYCLOAK-16605 add localpart username template transformer 2021-01-04 06:30:41 +01:00
keycloak-bot
75be33ccad Set version to 13.0.0-SNAPSHOT 2020-12-16 17:31:55 +01:00
Stefan Guilhen
d6422e415c [KEYCLOAK-16508] Complement methods for accessing user sessions with Stream variants 2020-12-15 19:52:31 +01:00
Takashi Norimatsu
edabbc9449 KEYCLOAK-14203 Client Policy - Executor : Enforce HTTPS URIs 2020-12-15 09:31:20 +01:00
Martin Bartoš
cfc035ee42 KEYCLOAK-15066 Internal Server error when calling random idp endpoint 2020-12-14 16:37:53 +01:00
Takashi Norimatsu
200b53ed1e KEYCLOAK-14192 Client Policy - Condition : Author of a client - User Role 2020-12-14 15:37:05 +01:00
Luca Leonardo Scorcia
8b7806dbb1 KEYCLOAK-16519 Fix typo in regex
The regex has a typo that prevents correct splitting of parameter values containing multiple OIDs.
2020-12-12 21:28:08 +01:00
Michal Hajas
8e376aef51
KEYCLOAK-15847 Add MapUserProvider 2020-12-10 08:57:53 +01:00
Martin Kanis
3ddedc49f5 KEYCLOAK-11417 Internal server error on front channel logout with expired session 2020-12-09 14:45:04 +01:00
Thomas Riccardi
f45e187c35 Finish renaming 'application role' to 'client role' in help texts 2020-12-08 12:18:13 +01:00
Martin Bartoš
873a69305f KEYCLOAK-15264 Import realm using directory provider twice with IGNORE_EXISTING will cause NPE for clientId 2020-12-08 11:28:07 +01:00
Hynek Mlnarik
8c0c542f09 KEYCLOAK-16489 Add ability to run model tests with LDAP 2020-12-07 20:54:06 +01:00
Martin Kanis
f6be378eca KEYCLOAK-14556 Authentication session map store 2020-12-07 20:48:59 +01:00
Lukas Hanusovsky
7f916ad20c KEYCLOAK-14231 - validate supported locales 2020-12-07 19:56:32 +01:00
Stefan Guilhen
edef93cd49 [KEYCLOAK-16232] Streamify the UserCredentialStore and UserCredentialManager interfaces 2020-12-07 19:48:35 +01:00
Stefan Guilhen
73d0bb34c4 [KEYCLOAK-16232] Replace usages of deprecated collection-based methods with the respective stream variants 2020-12-07 19:48:35 +01:00
vramik
bcfe985c24 KEYCLOAK-16543 fix compilation failure on keycloak-services 2020-12-04 13:01:22 +01:00
Ryoji
ea67033097 KEYCLOAK-16474 typo in javadoc sproxy_set_header -> proxy_set_header 2020-12-03 18:07:59 +01:00
Takashi Norimatsu
7da5a71314 KEYCLOAK-14191 Client Policy - Condition : Author of a client - User Group 2020-12-03 17:52:06 +01:00
Ian
be4c99dfe5 KEYCLOAK-15287 Ability to add custom claims to the AccessTokenResponse 2020-12-03 17:28:03 +01:00
Takashi Norimatsu
a51e0cc484 KEYCLOAK-14197 Client Policy - Condition : Client - Client Host 2020-12-02 09:05:42 +01:00
vramik
cd9e01af90 KEYCLOAK-16502 Migration of DELETE_ACCOUNT role 2020-12-01 13:10:20 +01:00
Luca Leonardo Scorcia
cb1060799e KEYCLOAK-16429 Pass default boolean values as strings, as expected by the UI 2020-11-25 12:45:29 +01:00
zak905
4f330f4a57 KEYCLOAK-953: add allowing user to delete his own account feature 2020-11-24 15:50:07 +01:00
Václav Muzikář
e56bd9d8b8 KEYCLOAK-14547: Make New Account Console the default. 2020-11-23 20:56:05 +01:00
Stan Silvert
0afd55f32c KEYCLOAK-14547: Make New Account Console the default. 2020-11-23 20:56:05 +01:00
Takashi Norimatsu
5dd5b5bedf KEYCLOAK-16392 Client Policy - Condition : NPE without any initial configuration 2020-11-23 12:07:28 +01:00
Luca Leonardo Scorcia
bd4315ef37 KEYCLOAK-16065 Replace last UrlConnection uses with HttpClientProvider 2020-11-20 15:07:59 +01:00
Thomas Darimont
00ea64d1d4 KEYCLOAK-16143 Honor AuthenticationProcessor.forwardedErrorMessage when rendering registration form 2020-11-20 15:05:55 +01:00
st
a7666d4ccf KEYCLOAK-11699 add support for 127.0.0.1 for native app 2020-11-20 11:03:29 +01:00
Stefan Guilhen
84df008bc2 [KEYCLOAK-16341] Make the new stream-based methods in server-spi user interfaces default instead of the collection-based versions.
- this ensures that providing implementation for the collection-based methods is enough, which preserves
   backwards compatibility with older custom implementations.
 - alternative interfaces now allow new implementations to focus on the stream variants of the query methods.
2020-11-18 21:07:51 +01:00
nkkumawat
43baf1bea7 KEYCLOAK-16381: error text moved to constants file 2020-11-18 21:05:58 +01:00
Douglas Palmer
43e075afa5 [KEYCLOAK-14352] JavaScript injection vulnerability of Realm registration REST API 2020-11-18 10:48:11 -03:00
Takashi Norimatsu
9ce2e9b1f7 KEYCLOAK-14193 Client Policy - Condition : Client - Client Access Type 2020-11-18 09:49:22 +01:00
Martin Bartoš
59aa31084e KEYCLOAK-16143 Login form expected, but registraion form is displayed 2020-11-13 21:36:51 +01:00
Pedro Igor
42b9141326 [KEYCLOAK-13639] - Improvements to metrics and health status 2020-11-13 07:14:43 -03:00
Takashi Norimatsu
21c7af1c53 KEYCLOAK-14207 Client Policy - Executor : Enforce more secure client signature algorithm when client registration 2020-11-13 09:24:59 +01:00
Pedro Igor
7ad1c350a3 [KEYCLOAK-16245] - Update Quarkus 1.10.0.CR1 2020-11-12 13:21:08 -03:00
Takashi Norimatsu
244a1b2382 KEYCLOAK-14196 Client Policy - Condition : Client - Client Scope 2020-11-12 08:40:28 +01:00
vmuzikar
01be601dbd KEYCLOAK-14306 OIDC redirect_uri allows dangerous schemes resulting in potential XSS
(cherry picked from commit e86bec81744707f270230b5da40e02a7aba17830)

Conflicts:
    testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
    testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java
    services/src/main/java/org/keycloak/validation/DefaultClientValidationProvider.java
2020-11-12 08:21:54 +01:00
Miquel Simon
e8e5808aa9 KEYCLOAK-13639. Added metrics and custom healthcheck endpoints, both enabled via 'metrics.enabled' config parameter. 2020-11-11 21:16:14 +01:00
Takashi Norimatsu
e35a4bcefc KEYCLOAK-14206 Client Policy - Executor : Enforce more secure state and nonce treatment for preventing CSRF 2020-11-11 21:11:34 +01:00
Martin Kanis
d9029b06b9 KEYCLOAK-15889 Streamification of ProtocolMappers 2020-11-10 16:40:34 +01:00
Takashi Norimatsu
a0b1710735 KEYCLOAK-14198 Client Policy - Condition : Client - Client IP 2020-11-10 15:37:26 +01:00
Stefan Guilhen
aa46735173 [KEYCLOAK-15200] Complement methods for accessing users with Stream variants 2020-11-10 15:13:11 +01:00
Martin Kanis
8d6577d66c KEYCLOAK-15898 Streamification of Keymanager 2020-11-10 14:43:23 +01:00
Takashi Norimatsu
a63814da67 KEYCLOAK-14201 Client Policy - Executor : Enforce Proof Key for Code Exchange (PKCE) 2020-11-09 08:18:05 +01:00
Thomas Darimont
de20830412 KEYCLOAK-9551 KEYCLOAK-16159 Make refresh_token generation for client_credentials optional. Support for revocation of access tokens.
Co-authored-by: mposolda <mposolda@gmail.com>
2020-11-06 09:15:34 +01:00
stianst
1281f28bb8 KEYCLOAK-15012 Fix issue with folder theme provider 2020-11-06 09:14:36 +01:00
vmuzikar
2df62369c3 KEYCLOAK-15295 User can manage resources with just "view-profile" role using new Account Console
(cherry picked from commit 1b063825755d9f5aa13e612757e8ef7299430761)
2020-11-06 08:55:57 +01:00
Takashi Norimatsu
6dc136dfc0 KEYCLOAK-14199 Client Policy - Executor : Enforce more secure client authentication method when client registration 2020-11-05 20:42:49 +01:00
Martin Bartos
7522d5ac74 KEYCLOAK-15841 Upgrade rest of the minor forms to PF4 2020-11-05 17:58:41 +01:00
Otto Leppänen
bc6bb22173 [KEYCLOAK-16055] Update DefaultKeyManager kid is null logging
Got this "kid is null, can't find public key" without a hint to which realm it's belonging. Not sure if the realm name is dropped because it's null(?), but at least the log message is now explicit. Dropping kid because the text says it's null. Haven't tested whether this breaks tests etc.
2020-11-03 20:40:00 +01:00
Christoph Leistert
e131de9574 KEYCLOAK-14855 Added realm-specific localization texts which affect texts in every part of the UI (admin console / login page / personal info page / email templates). Also new API endpoints and a new UI screen to manage the realm-specific localization texts were introduced.
Co-authored-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.io>
2020-10-30 08:02:43 -03:00
Hynek Mlnarik
925f089d62 KEYCLOAK-16077 Remove need for MapStorage.replace 2020-10-29 15:40:47 +01:00
Martin Bartos
2e59d5c232 KEYCLOAK-14679 Unable to log in with WebAuthn on unsupported browsers 2020-10-29 14:03:17 +01:00
Johannes Knutsen
23c575c236 KEYCLOAK-15399: Wrong token type in token response. bearer vs Bearer 2020-10-28 10:38:22 -03:00
Martin Bartos
a8df7d88a1 [KEYCLOAK-14139] Upgrade login screen to PF4 2020-10-27 20:24:07 +01:00
nxadm
580f2b4977
KEYCLOAK-16040 Typo in comment: Authoirzation => Authorization 2020-10-22 16:26:24 +02:00
stianst
74b5143c5e KEYCLOAK-15498 Disable gzip encoding when themes are not cached 2020-10-22 09:07:37 +02:00
Daniel Fesenmeyer
de8d2eafa3 KEYCLOAK-14781 Extend Admin REST API with search by federated identity
- Add parameters idpAlias and idpUserId to the resource /{realm}/users and allow it to be combined with the other search parameters like username, email and so on
- Add attribute "federatedIdentities" to UserEntity to allow joining on this field
- extend integration test "UserTest"
2020-10-22 08:51:26 +02:00
Sven-Torben Janus
850d3e7fef KEYCLOAK-15511 OTP registration during login with LDAP read-only
When LDAP user federation is configured in read-only mode, it is not
possible to set required actions for users from LDAP.
Keycloak credential model allows for registering OTP devices when LDAP
ist configured with "Import Users" flag enabled. Registering OTP devices
needs to be done via the account management console and works as
expecetd. However, it fails, if a user has to register aN OTP device
during login (i.e. within the authentication flow), because the OTP Form
Authenticator tries to enforce OTP registration via setting the
corresponding required action for the user. That fails, because the user
is read-only.
To work around this, the required action is set on the authentication
session instead.
2020-10-21 17:00:11 +02:00
mposolda
7891daef73 KEYCLOAK-15998 Keycloak OIDC adapter broken when Keycloak server is on http 2020-10-21 08:36:08 +02:00
mhajas
4556e858ad KEYCLOAK-15522 Use AbstractStorageManager in UserStorageManager 2020-10-15 20:41:13 +02:00
Martin Kanis
086f7b4696 KEYCLOAK-15450 Complement methods for accessing realms with Stream variants 2020-10-14 08:16:49 +02:00
testn
269a72d672 KEYCLOAK-15184: Use static inner class where possible 2020-10-09 23:37:08 +02:00
Trey Dockendorf
6e713b5044 KEYCLOAK-15545 Fix null pointer exception when updating flow via API 2020-10-09 23:33:51 +02:00
Luca Leonardo Scorcia
f274ec447b KEYCLOAK-15697 Make the Service Provider Entity ID user configurable 2020-10-09 22:04:02 +02:00
Dustin Frank
59ef7d258f Fix typo in FileTruststoreProviderFactory.java 2020-10-09 22:01:52 +02:00
mposolda
ff05072c16 KEYCLOAK-15770 Skip creating session for docker protocol authentication 2020-10-09 07:53:26 +02:00
mposolda
d269af1b70 KEYCLOAK-15830 Remove authentication session after failed directGrant authentication 2020-10-07 18:13:21 +02:00
vmuzikar
bb7ce62cd5 KEYCLOAK-15332 Missing CORS headers in some endpoints in Account REST API 2020-10-07 09:07:55 -03:00
dashaylan
0d6da99844 Add UserInfo check fix and associated tests. 2020-10-06 08:44:02 +02:00
Markus Till
f0ea7a04bd remove unused getApplications method from user account 2020-10-05 17:02:22 -03:00
Markus Till
43206d3158 minor restructering of the userprofile impl -> add AbstractUserProfile introduced to make getId override explicit 2020-10-05 09:59:44 -03:00
Markus Till
c71ce8cd2e refactoring add UserProfileAttributes 2020-10-05 09:59:44 -03:00
Markus Till
695db3e8ef remove unused isCreated Flag in user profile context 2020-10-05 09:59:44 -03:00
Markus Till
7da619385c refactore userupdate helper api 2020-10-05 09:59:44 -03:00
Markus Till
802a670cc5 have a factory like approach for profile contexts 2020-10-05 09:59:44 -03:00
Markus Till
21cfa54d4d remove StoredUserProfile interface 2020-10-05 09:59:44 -03:00
Markus Till
72f73f153a UserProfile M1 2020-10-05 09:59:44 -03:00
Pedro Igor
0d99e01b98 [KEYCLOAK-15807] - Wrong parsing of Cookie header 2020-10-02 08:19:24 -03:00
Michito Okai
eac3341241 KEYCLOAK-15779 Authorization Server Metadata for the URL of the
authorization server's JWK Set [JWK] document
2020-10-02 11:18:31 +02:00
Thomas Darimont
12576e339d KEYCLOAK-15146 Add support for searching users by emailVerified status
We now allow to search for users by their emailVerified status.
This enables users to easily find users and deal with incomplete user accounts.
2020-09-29 08:28:59 -03:00
Takashi Norimatsu
6596811d5d KEYCLOAK-14204 FAPI-RW Client Policy - Executor : Enforce Request Object satisfying high security level 2020-09-25 08:31:14 +02:00
Pedro Igor
76dede0f1e [KEYCLOAK-14221] - Allow to map subject to userinfo response 2020-09-23 14:33:14 +02:00
Frode Ingebrigtsen
0a0b7da53e KEYCLOAK-15429 Add CORS origin on permission request with invalid access token 2020-09-22 08:56:21 -03:00
Denis
50210c4d9b KEYCLOAK-14161 Regression on custom registration process 2020-09-21 20:23:39 +02:00
mhajas
12bc84322a KEYCLOAK-14974 Map group storage provider 2020-09-21 15:56:32 +02:00
testn
2cd03569d6 KEYCLOAK-15238: Fix potential resource leak from not closing Stream/Reader 2020-09-21 13:05:03 +02:00
Takashi Norimatsu
bd3840c606 KEYCLOAK-15559 Client Policy - Executor : Missing Help Text of SecureResponseTypeExecutor 2020-09-21 12:40:25 +02:00
vmuzikar
790b549cf9 KEYCLOAK-15262 Logout all sessions after password change 2020-09-18 20:09:40 -03:00
mhajas
b75ad2fbd8 KEYCLOAK-15259 Avoid using "null" Origin header as a valid value 2020-09-17 23:21:49 -07:00
mhajas
f7e0af438d KEYCLOAK-14232 Add Referrer-Policy: no-referrer to each response from Keycloak
(cherry picked from commit 0b49640231abc6e465542bd2608e1c908c079ced)
2020-09-17 23:21:49 -07:00
Luca Leonardo Scorcia
10077b1efe KEYCLOAK-15485 Add option to enable SAML SP metadata signature 2020-09-16 16:40:45 +02:00
Mark Wolfe
3723d78e3c KEYCLOAK-15460 Fix missing event types in SAML endpoint
A change was done in 32f13016fa which isn't setting the type for events and causing an internal error.
2020-09-16 16:36:19 +02:00
Martin Kanis
5d5e56dde3 KEYCLOAK-15199 Complement methods for accessing roles with Stream variants 2020-09-16 16:29:51 +02:00